How do you architect for regulatory compliance?

I know this is a hot topic for IT managers. In a recent poll of CIOs, it ranks number one and even ahead of security. So now the question, are there models you can study to gain greater insight and provide you with some really usable guidelines?

Here is a great white paper that does just that. I found it really useful since it provides the processes and tools that the Microsoft Information Technology Group uses to “systemize the approach of supporting regulatory compliance.” And, “this approach uses a framework of common security controls, unique tools for monitoring, and IT tools for tracking and reporting compliance.”

It is worth the read to gain deeper insights.

Thank you,
Stephen Ibaraki

Comments (5)

  1. Adam Cole says:

    This paper has some excellent ideas for managing the multiple sets of regulations that apply to any large/public company. I will be forwarding it to our manager of corporate security and IT compliance.

    I wonder, does Microsoft have any thoughts of making publicly available the suite of tools they use internally? Would others find value in this?

  2. Stephen Ibaraki says:

    Hi Adam,

    It’s good to see you here. Do you have added insights to share from your experiences?

    Thank you,

    Stephen Ibaraki

  3. Adam Cole says:

    Hello All, Hello Stephen,

    In October past our local CIPS chapter (Toronto) held a CIO roundtable on IT Governance. I believe many readers may find the discussion that took place enlightening, hopefully even helpful. There were a few key take home messages for me. I feel the following points are just as relevant to compliance as they are to good governance:

    • “Governance means fundamentally different things to different people.” This is equally true for compliance. I find I am frequently trying to balance architecting for the “stringent” auditor versus architecting to meet the “spirit” of the regulatory guidance.

    • “IT and corporate governance should not be treated as separate entities.” Certainly the same can be said for compliance. There is simply too much waste if IT compliance is not framed and managed within the confines of corporate compliance.

    • “The policing role of IT is a given. CIOs need to accept it, and move beyond it.” …And here I was thinking policing was the fun part of my job.

    • “In actual fact, most such regulations aren’t even focused on IT, but on transparency and accountability in financial reporting. Still, CIOs are bearing the brunt of regulatory compliance requirements as companies look to IT to provide solutions.”

    You can find the event proceedings (i.e. summarized minutes) here:

    I think many readers will also find helpful the many tangents that address what the group felt would be critical skills for future CIOs.

    And finally, before I sign-off, let me take the opportunity in this public forum to congratulate you Stephen on your recent hat-trick of awards. Way to go!



  4. Barnaby_Jeans says:

    Adam asked the question about whether Microsoft has a suite of tools that we use internally.

    I’m investigating this with some of our teams at HQ and will let you know what I find out.


  5. Anonymous says:

    It’s looming and you can’t ignore it. What am I blogging about? Regulatory Compliance. So take the time…

Skip to main content